I was recently onsite for around two weeks and notice a lot of things that were lets just say plain wrong. I was not doing a security asset of any type I was just there to help the It help desk. During my time onsite I saw password being sent via email, password around computer screens and user would get up and leave me with their computer without even asking who I was.

So I guess my question is other than training what other ways are there to teach end user about security ? How hard do you think the lesson should be ?

I guess one of the problems with the end user is they don't care as its the company being attacked not them so do you think is ethical to target the user?

Jamie.R wrote:So I guess my question is other than training what other ways are there to teach end user about security ? How hard do you think the lesson should be ?

Other than training? The only things left is that organizations have to be punitive, or implement security apps that force compliance with security policies... but that's the big problem - there has to be security policies, and it needs to be supported high within the organization.

However, the MOST effective method of improving security within an organization has been training, so that's where most of the money and efforts have been placed, and rightly so.

I see these same things every day. It was worse when I worked for a local medical profession. Users getting up with patient data showing and computers not locked. I agree with Grendel the only way to fix or work on this is to have the support of upper management and have strict polices. You could try setting the screen timeout's and using group policy but that's still a long shot to getting users to comply.

What I'm about to say will undoubtedly sound pedantic, but please understand you hit a nerve of mine that stems from a continual need by many to be noticed (even if they dont say anything valid). But the examples you provided are perfect examples of noise, simply for the sake of noise. There are a lot of posts similar to what you pointed to that are more like blogs, and less like valid research in the field of InfoSec. As a researcher, you always have to look at the source material and evaluate its validity in a discussion of this matter.

Simply put, none of the articles you linked have any research value. Instead, check out legitimate research, like that done by Susan Handche, professor at George Mason University (as an example). In "The Privacy Papers" (published by Auerbach), she quotes "corporations and government agencies... Will have to dedicate more resources to staffing and training of information system security professionals," and that employees "are not aware of the security consequences caused by certain actions... Thus it is imperative for every organization to provide employees with IT-related security information that points out the threats and ramifications of not actively participating in the protection of their information."

She also indicated that "informed and trained employees can be a crucial factor in the effective functioning and protection of information systems." She also docents her findings, which doesn't exist in your articles.

There is a ton of real research, performed by real researchers out there, with research statistics to back up their claim. I just get frustrated reading articles like what you pointed out without any real research being done... And then people (not necessarily you) quotes them as something close to gospel.

Jamie.R wrote:I guess the question I am asking is how can you make a end user care about security. It seems to me that most end user don't care unless something affects them directly.

Companies can spend as much money on training as they want but unless the end user puts into practice what he/she has learned IMO the training is pointless.

I'm a believer in what Thomas Smith wrote regarding advertisement. Just replace the word "ad" with "security recommendation" and you'll see what it takes to make end-users want to participate in securing their organization:

"The first time people look at any given ad, they don't even see it.The second time, they don't notice it.The third time, they are aware that it is there.The fourth time, they have a fleeting sense that they've seen it somewhere before.The fifth time, they actually read the ad.The sixth time they thumb their nose at it.The seventh time, they start to get a little irritated with it.The eighth time, they start to think, "Here's that confounded ad again."The ninth time, they start to wonder if they're missing out on something.The tenth time, they ask their friends and neighbors if they've tried it.The eleventh time, they wonder how the company is paying for all these ads.The twelfth time, they start to think that it must be a good product.The thirteenth time, they start to feel the product has value.The fourteenth time, they start to remember wanting a product exactly like this for a long time.The fifteenth time, they start to yearn for it because they can't afford to buy it.The sixteenth time, they accept the fact that they will buy it sometime in the future.The seventeenth time, they make a note to buy the product.The eighteenth time, they curse their poverty for not allowing them to buy this terrific product.The nineteenth time, they count their money very carefully.The twentieth time prospects see the ad, they buy what is offering."

Also, when I do SAT, I emphasize that I'm teaching them things to keep them safe at home as well as at work. People will care a lot more when it's personal, and anything that sinks in will hopefully become ingrained as part of their normal behavior regardless of where they are.

Thanks a lot this has given me some ideas. I get sent onsite a lot and one company are extremely bad with security despite my warnings. So I was trying think other ways to get it into their head certain things they do should just not done.